• Contact Us

Public Sector - What to Do Before Engaging a New Service Provider

on Monday, 26 April 2021.

In this article, we set out some key data protection considerations for public sector organisations who are looking to engage (or perhaps have already engaged) a third-party processor, particularly if they are a cloud-based provider.

The past year has seen an unprecedented rise in the use of online service providers. In particular, the rise in home-working has prompted many organisations to 'upgrade' their current IT offering, and move to solutions which are more suitable for remote-working.

Cloud-based solutions offer online tools to assist organisations with business continuity, despite the restrictions around physical working environments. Whilst these tools have undoubtedly ensured that working life is able to continue, they are not without their risks.

Check Your Data Processor Is GDPR Compliant

The provider is likely to be your organisation's data processor under the UK GDPR in respect of the personal data that will be stored on the platform. This will be the case if the provider processes personal data on your behalf, following your instructions. As such, the usual considerations will apply here that would apply to any other data processor. 

In the first instance, you will need to carry out appropriate due diligence on the proposed provider to check that their use of the personal data will comply with data protection law. Part of this process will be satisfying yourselves as to the information security practices the provider has in place. Some questions that you may want to look into include:

  • Where is the data stored? For example, we are aware that many service providers host data overseas (eg in the US or Ireland).
  • What security does the provider have in place to protect personal data? Is data encrypted while it is in transit and at rest? How secure is storage? Are they certified to a recognised information security standard such as ISO 27001?
  • What do the provider's terms and conditions have to say about personal data? Do they contain the mandatory provisions required by Article 28 of the UK GDPR?
  • What are the privacy settings like? Is it possible to limit personal data that is collected? Are there any privacy issues that flow from the provider's functionality that cannot be mitigated?

Sometimes providers of online services position themselves as a data controller rather than a data processor in respect of the data held. If they are referring to themselves as a data controller, or giving themselves powers to use personal data for their own purposes then this may present a risk to your organisation which you should consider.

Ensure International Transfers Are Compliant

If personal data will be transferred outside of the UK to a country not considered to have adequate data protection laws, you will need to ensure that additional safeguards are in place for compliance. Fortunately, all countries in the European Economic Area (EEA) and some others (eg New Zealand and Japan) are considered to have adequate data protection laws under the UK GDPR. Where the data is being transferred outside of these countries, the appropriate safeguard might be ensuring that the standard contractual clauses ('SCCs') are incorporated into the agreement with the provider.

SCCs are model data protection clauses that can be used to make an international transfer of personal data lawful. However, following a court decision last year, using the SCCs may not be sufficient on their own and you may need to put additional safeguards in place for compliance. What safeguards are needed should be assessed on a case-by-case basis. For example, if the data is encrypted such that it cannot be accessed by the provider or anyone other than your organisation, then this may count as a suitable safeguard, but this will not be appropriate in all cases.

Last week the EU published a draft decision stating that the UK has adequate data protection laws. If adopted this decision will allow data to flow freely from the EEA to the UK. Data can already flow freely from the UK to the EEA so if your organisation is solely based in the UK this is unlikely to directly affect your compliance but it will make using service providers in the EEA easier.

Consider Compliance, Cyber-Crime, and Data Breaches

Demonstrating Compliance

To comply with the requirement to demonstrate your compliance, you should document the process outlined above. For example, there should be a record of the due diligence carried out. You should also make sure that your privacy notices cover the type of activity that you will be using the service provider for.


Cyber-crime, including scenarios where ransoms are demanded to decrypt data or destroy improperly taken copies, is becoming much more commonplace in the digital age. You may remember that the NHS was subject to the WannaCry ransomware attack a few years ago, which illustrated the serious nature of these attacks, particularly where sensitive information is compromised. To assist with mitigating the risks here we recommend the following actions:

  • Ensure there is a written contract in place that contains the mandatory provisions set out in the UK GDPR.
  • Choose processors that provide 'sufficient guarantees' that they comply with the UK GDPR.
  • Take additional steps if the processor transfers personal data outside of the UK (to a country without adequate data protection laws).

Reportable Breaches

If your organisation is in a situation where it needs to report a breach to the ICO in circumstances where the breach was caused by a processor, then the ICO is likely to be interested in whether the steps outlined above were taken.

In our experience, the ICO is far less likely to take enforcement action against an organisation if the arrangement is compliant and appropriate checks were carried out on the processor.

For further information on engaging new service providers, please contact Bronwen Jones (07818 018215) or Claire Hall (07467 148750) in our Data Protection team. Alternatively, complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input